That is the expected behavior since the JAAS login is only setting up the security context for subsequent ejb invocations. It does not change or establish the web container security context. That could be done using a custom integration with a tomcat valve, but this would be non-trival, and in general not possible as the security settings for the war may require an SSL connection with CLIENT-CERT mutual authentication. You either have to use your own security layer via filters, delegate to the container using the standard web.xml security model, or do deep customization of tomcat to do what you want.
thanks for that Scott, I was hoping that wouldnt be the conclusion.
A collegue of mine suggested another solution:
"Use declarative security in the web tier (FORM) and once logged in the principal details are available in the EJB tier"
Aparantly it was not with JBoss but the container login called JAAS
It sounds like the ideal solution but I guess it depends on the container implementation.
I am gonna try it tonight but is there any reason why if I did a FORM authentication it would be propagated to the EJB.
If you can use declarative security in the web tier you should as the integration with ejb tier is automatic.